AFL源码分析之afl-as.c

昨天阅读了afl-gcc的源码，可以看出来afl-gcc主要用途是搜索as所在的位置，然后加上必要的参数参数，在调用gcc进行实际的编译

今天又继续阅读了afl-as.c的源码，这部分主要是对于fuzz插桩的编写，阅读完后不清楚可以看一下sakura师傅的博客，有着对源码的理解，也非常感谢hollk师傅的源码注解，降低了阅读的难度

(22条消息) AFL源码分析之afl-as.c详细注释_hollk’s blog-CSDN博客_afl源码

sakuraのAFL源码全注释 | Sakuraのblog (eternalsakura13.com)

/*
  Copyright 2013 Google LLC All rights reserved.

  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at:

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
*/

/*
   american fuzzy lop - wrapper for GNU as
   ---------------------------------------

   Written and maintained by Michal Zalewski <lcamtuf@google.com>

   The sole purpose of this wrapper is to preprocess assembly files generated
   by GCC / clang and inject the instrumentation bits included from afl-as.h. It
   is automatically invoked by the toolchain when compiling programs using
   afl-gcc / afl-clang.

   Note that it's an explicit non-goal to instrument hand-written assembly,
   be it in separate .s files or in __asm__ blocks. The only aspiration this
   utility has right now is to be able to skip them gracefully and allow the
   compilation process to continue.

   That said, see experimental/clang_asm_normalize/ for a solution that may
   allow clang users to make things work even with hand-crafted assembly. Just
   note that there is no equivalent for GCC.

*/

#define AFL_MAIN

#include "config.h"
#include "types.h"
#include "debug.h"
#include "alloc-inl.h"

#include "afl-as.h"

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
#include <fcntl.h>

#include <sys/wait.h>
#include <sys/time.h>

static u8** as_params;          /* Parameters passed to the real 'as' 传递给“as”的参数  */

static u8*  input_file;         /* Originally specified input file  输入文件     */
static u8*  modified_file;      /* Instrumented file for the real 'as' “as”进行插桩处理的文件 */

static u8   be_quiet,           /* Quiet mode (no stderr output)    静默模式（没有标准输出）    */
            clang_mode,         /* Running in clang mode?     是否运行在clang模式           */
            pass_thru,          /* Just pass data through?   只通过数据            */
            just_version,       /* Just show version?       只显示版本            */
            sanitizer;          /* Using ASAN / MSAN     是否使用ASAN/MSAN                  */

static u32  inst_ratio = 100,   /* Instrumentation probability (%) 插桩覆盖率      */
            as_par_cnt = 1;     /* Number of params to 'as' 传递给“as”的参数数量初始值             */

/* If we don't find --32 or --64 in the command line, default to 
   instrumentation for whichever mode we were compiled with. This is not
   perfect, but should do the trick for almost all use cases.如果输入命令中没有“--32”或“--64”，则默认检测编译时使用的模式 */

#ifdef WORD_SIZE_64

static u8   use_64bit = 1; //64位的标志

#else

static u8   use_64bit = 0; //32位的标志

#ifdef __APPLE__  //如果是苹国平台
#  error "Sorry, 32-bit Apple platforms are not supported."  //提示苹果不支持32位
#endif /* __APPLE__ */

#endif /* ^WORD_SIZE_64 */


/* Examine and modify parameters to pass to 'as'. Note that the file name
   is always the last parameter passed by GCC, so we exploit this property
   to keep the code simple. 检查并修改要传递给'as'的参数。注意，文件名总是GCC传递的最后一个参数，因此我们利用这个属性来保持代码简单*/

static void edit_params(int argc, char** argv) {

  u8 *tmp_dir = getenv("TMPDIR"), *afl_as = getenv("AFL_AS"); //获取环境变量TMPDIR和AFL_AS
  u32 i;

#ifdef __APPLE__  // 如果

  u8 use_clang_as = 0;

  /* On MacOS X, the Xcode cctool 'as' driver is a bit stale and does not work
     with the code generated by newer versions of clang that are hand-built
     by the user. See the thread here: http://goo.gl/HBWDtn.

     To work around this, when using clang and running without AFL_AS
     specified, we will actually call 'clang -c' instead of 'as -q' to
     compile the assembly file.

     The tools aren't cmdline-compatible, but at least for now, we can
     seemingly get away with this by making only very minor tweaks. Thanks
     to Nico Weber for the idea. */

  if (clang_mode && !afl_as) { //如果使用clang模式且没有获取到afl_as变量就进入该分支

    use_clang_as = 1;

    afl_as = getenv("AFL_CC");  //获取环境变量AFL_CC
    if (!afl_as) afl_as = getenv("AFL_CXX");  //如果没有获取到上面的变量就获取AFL_CXX或者赋值clang字符串
    if (!afl_as) afl_as = "clang";

  }

#endif /* __APPLE__ */

  /* Although this is not documented, GCC also uses TEMP and TMP when TMPDIR
     is not set. We need to check these non-standard variables to properly
     handle the pass_thru logic later on. */

  if (!tmp_dir) tmp_dir = getenv("TEMP");  //如果没有获取到TMPDIR就赋值下面三个中的一种
  if (!tmp_dir) tmp_dir = getenv("TMP");
  if (!tmp_dir) tmp_dir = "/tmp";

  as_params = ck_alloc((argc + 32) * sizeof(u8*));  为as_oarams开辟一段空间

  as_params[0] = afl_as ? afl_as : (u8*)"as";  //将上面的afl_as赋值给as_params，如果没有获取到就将字符串as赋值给as_params

  as_params[argc] = 0; //设置最后一个参数为0

  for (i = 1; i < argc - 1; i++) { //从第一个参数便利到最后一个参数

    if (!strcmp(argv[i], "--64")) use_64bit = 1; //如果遍历到--64字符串就将use_64bit设置为1
    else if (!strcmp(argv[i], "--32")) use_64bit = 0; //如果便利到--32字符串就将use_64bit设置为零

#ifdef __APPLE__ //如果是苹果平台

    /* The Apple case is a bit different... */

    if (!strcmp(argv[i], "-arch") && i + 1 < argc) {  //如果遍历到了-arch参数

      if (!strcmp(argv[i + 1], "x86_64")) use_64bit = 1; //如果是arch x86_64  则设置use_64bint为1
      else if (!strcmp(argv[i + 1], "i386"))  //如果是-arch i386 则报错
        FATAL("Sorry, 32-bit Apple platforms are not supported.");

    }

    /* Strip options that set the preference for a particular upstream
       assembler in Xcode. */

    if (clang_mode && (!strcmp(argv[i], "-q") || !strcmp(argv[i], "-Q"))) //如果是clang模式并且参数是-q或者-Q则跳出循环
      continue;

#endif /* __APPLE__ */

    as_params[as_par_cnt++] = argv[i];

  }

#ifdef __APPLE__

  /* When calling clang as the upstream assembler, append -c -x assembler
     and hope for the best. */

  if (use_clang_as) {

    as_params[as_par_cnt++] = "-c";
    as_params[as_par_cnt++] = "-x";
    as_params[as_par_cnt++] = "assembler"; //如果使用的是clang模式则在as_params追加上述三个参数

  }

#endif /* __APPLE__ */

  input_file = argv[argc - 1];  //将argv最后一个参数赋值给input_file

  if (input_file[0] == '-') {  //如果input_file 的参数是-

    if (!strcmp(input_file + 1, "-version")) { //如果是-version
      just_version = 1;
      modified_file = input_file;  //则将just_version设置为1然后modified_file设置为-version
      goto wrap_things_up; //跳转到参数组合尾部尾部
    }

    if (input_file[1]) FATAL("Incorrect use (not called through afl-gcc?)");  //如果不是-version则抛出异常
      else input_file = NULL;

  } else {

    /* Check if this looks like a standard invocation as a part of an attempt
       to compile a program, rather than using gcc on an ad-hoc .s file in
       a format we may not understand. This works around an issue compiling
       NSS. */

    if (strncmp(input_file, tmp_dir, strlen(tmp_dir)) &&  //如果首字母不是- 判断第9个和第五个字节分把是不是/var/tmp和/tmp 如果都不是则设置pass_thru为1
        strncmp(input_file, "/var/tmp/", 9) &&
        strncmp(input_file, "/tmp/", 5)) pass_thru = 1;

  }

  modified_file = alloc_printf("%s/.afl-%u-%u.s", tmp_dir, getpid(),  //设置modified_file为类似tmp_dir/.afl-pid-time.s这样的字符串
                               (u32)time(NULL));

wrap_things_up:

  as_params[as_par_cnt++] = modified_file;//接收参数为modified最后一个参数
  as_params[as_par_cnt]   = NULL;//参数接收结束

}


/* Process input file, generate modified_file. Insert instrumentation in all
   the appropriate places. */

static void add_instrumentation(void) {//处理输入文件，生成modified_file，将桩插入所有释放的位置

  static u8 line[MAX_LINE];

  FILE* inf;
  FILE* outf;
  s32 outfd;
  u32 ins_lines = 0; //插桩计数器

  u8  instr_ok = 0, skip_csect = 0, skip_next_label = 0,
      skip_intel = 0, skip_app = 0, instrument_next = 0;

#ifdef __APPLE__

  u8* colon_pos;

#endif /* __APPLE__ */

  if (input_file) { //如果存在输入文件名称

    inf = fopen(input_file, "r"); //尝试获取input_file句柄，将fd赋值给inf
    if (!inf) PFATAL("Unable to read '%s'", input_file); //如果获取不到则，抛出异常

  } else inf = stdin; //如果不存在文件名则赋值标准输入

  outfd = open(modified_file, O_WRONLY | O_EXCL | O_CREAT, 0600); //以写的方式打开modified_file，如果文件已存在就直接打开，如果没有就创建一个

  if (outfd < 0) PFATAL("Unable to write to '%s'", modified_file); //如果文件没有写权限，就抛出异常

  outf = fdopen(outfd, "w"); //尝试打开

  if (!outf) PFATAL("fdopen() failed");   //打不开就抛出异常

  while (fgets(line, MAX_LINE, inf)) {  //循环读取inf指向的文件的每一行到line数组，每行最多MAX_LINE（8192）个字节，含末尾“\0”

    /* In some cases, we want to defer writing the instrumentation trampoline
       until after all the labels, macros, comments, etc. If we're in this
       mode, and if the line starts with a tab followed by a character, dump
       the trampoline now. */

    if (!pass_thru && !skip_intel && !skip_app && !skip_csect && instr_ok &&
        instrument_next && line[0] == '\t' && isalpha(line[1])) { //446行判断是否为defered mode模式(判断instrument_next和instr_ok是否都为1，以及line是否以\t开始，且line[1]是否是字母）

      fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32,
              R(MAP_SIZE)); //插桩

      instrument_next = 0; //instrument_next设置为0
      ins_lines++; //插桩计数器加1

    }

    /* Output the actual line, call it a day in pass-thru mode. */

    fputs(line, outf);

    if (pass_thru) continue;

    /* All right, this is where the actual fun begins. For one, we only want to
       instrument the .text section. So, let's keep track of that in processed
       files - and let's set instr_ok accordingly.首先，我们只想检测.text部分。让我们在已处理的文件中跟踪它，并相应地设置instr_ok */

    if (line[0] == '\t' && line[1] == '.') { //判断读入的行是否以\t开头，以及line[1]是否为.

      /* OpenBSD puts jump tables directly inline with the code, which is
         a bit annoying. They use a specific format of p2align directives
         around them, so we use that as a signal. OpenBSD将跳转表直接内联到代码中，这有点烦人。它们使用特定格式的p2align指令，所以我们将其用作信号 */

      if (!clang_mode && instr_ok && !strncmp(line + 2, "p2align ", 8) && //检查是否为p2align指令，如果是则设置skip_next_label为1
          isdigit(line[10]) && line[11] == '\n') skip_next_label = 1;//instr_ok变量是一个flag，如果为1表示位于.text段，如果为0表示不再.text段

      if (!strncmp(line + 2, "text\n", 5) ||
          !strncmp(line + 2, "section\t.text", 13) ||
          !strncmp(line + 2, "section\t__TEXT,__text", 21) ||
          !strncmp(line + 2, "section __TEXT,__text", 21)) {
        instr_ok = 1; //匹配"text\n"、"section\t.text"、"section\t__TEXT,__text"、"section __TEXT,__text"，如果匹配成功则设置instr_ok为1。跳出本次循环
        continue; 
      }

      if (!strncmp(line + 2, "section\t", 8) ||
          !strncmp(line + 2, "section ", 8) ||
          !strncmp(line + 2, "bss\n", 4) ||
          !strncmp(line + 2, "data\n", 5)) {
        instr_ok = 0;//匹配"section\t"、"section "、"bss\n"、"data\n"，如果匹配成功说明不是在.text段，设置instr_ok变量为0
        continue;
      }

    }

    /* Detect off-flavor assembly (rare, happens in gdb). When this is
       encountered, we set skip_csect until the opposite directive is
       seen, and we do not instrument. */

    if (strstr(line, ".code")) { //判断架构

      if (strstr(line, ".code32")) skip_csect = use_64bit;
      if (strstr(line, ".code64")) skip_csect = !use_64bit;

    }

    /* Detect syntax changes, as could happen with hand-written assembly.
       Skip Intel blocks, resume instrumentation when back to AT&T. */

    if (strstr(line, ".intel_syntax")) skip_intel = 1;//判断是否为Intel汇编语法
    if (strstr(line, ".att_syntax")) skip_intel = 0;//判断是否为att汇编语法

    /* Detect and skip ad-hoc __asm__ blocks, likewise skipping them. */

    if (line[0] == '#' || line[1] == '#') {//ad-hoc __asm__块是否跳过

      if (strstr(line, "#APP")) skip_app = 1;
      if (strstr(line, "#NO_APP")) skip_app = 0;

    }

    /* If we're in the right mood for instrumenting, check for function
       names or conditional labels. This is a bit messy, but in essence,
       we want to catch:插桩时终端关注对象

         ^main:      - function entry point (always instrumented)
         ^.L0:       - GCC branch labelgcc下的分支标记
         ^.LBB0_0:   - clang branch label (but only in clang mode)clang下的分支标记（仅仅只是在clang模式中）
         ^\tjnz foo  - conditional branches条件跳转分支标记

       ...but not:

         ^# BB#0:    - clang comments
         ^ # BB#0:   - ditto
         ^.Ltmp0:    - clang non-branch labels
         ^.LC0       - GCC non-branch labels
         ^.LBB0_0:   - ditto (when in GCC mode)
         ^\tjmp foo  - non-conditional jumps

       Additionally, clang and GCC on MacOS X follow a different convention
       with no leading dots on labels, hence the weird maze of #ifdefs
       later on.

     */

    if (skip_intel || skip_app || skip_csect || !instr_ok ||
        line[0] == '#' || line[0] == ' ') continue;

    /* Conditional branch instruction (jnz, etc). We append the instrumentation
       right after the branch (to instrument the not-taken path) and at the
       branch destination label (handled later on). */

    if (line[0] == '\t') {

      if (line[1] == 'j' && line[2] != 'm' && R(100) < inst_ratio) {  //对于形如\tj[^m].格式的指令，即条件跳转指令，且R()函数创建的随机数小于插桩密度inst_ratio

        fprintf(outf, use_64bit ? trampoline_fmt_64 : trampoline_fmt_32,
                R(MAP_SIZE)); // 判断是否为64位程序，使用fprintf函数将桩插在outf只想的文件的\tj[^ m].跳转指令位置，插入长度为R函数创建的小于MAP_SIZE的随机数

        ins_lines++; //插桩计数器+1，跳出循环进行下一次遍历

      }

      continue;

    }

    /* Label of some sort. This may be a branch destination, but we need to
       tread carefully and account for several different formatting
       conventions. */

#ifdef __APPLE__

    /* Apple: L<whatever><digit>: */

    if ((colon_pos = strstr(line, ":"))) {

      if (line[0] == 'L' && isdigit(*(colon_pos - 1))) {

#else

    /* Everybody else: .L<whatever>: */

    if (strstr(line, ":")) {  //检查line中是否存在“:”

      if (line[0] == '.') {  //检查是否以“.”开始

#endif /* __APPLE__ */

        /* .L0: or LBB0_0: style jump destination */

#ifdef __APPLE__

        /* Apple: L<num> / LBB<num> */

        if ((isdigit(line[1]) || (clang_mode && !strncmp(line, "LBB", 3)))//检查line[1]是否为数字，或者在clang模式下从line开始的三个字节是否为LBB，并且随机数小于插桩密度
            && R(100) < )inst_ratio {

#else

        /* Apple: .L<num> / .LBB<num> */

        if ((isdigit(line[2]) || (clang_mode && !strncmp(line + 1, "LBB", 3)))
            && R(100) < inst_ratio) { //检查line[2]是否为数字，或者在clang模式下从line[1]开始的三个字节是否为LBB，并且随机数小于插桩密度

#endif /* __APPLE__ */

          /* An optimization is possible here by adding the code only if the
             label is mentioned in the code in contexts other than call / jmp.
             That said, this complicates the code by requiring two-pass
             processing (messy with stdin), and results in a speed gain
             typically under 10%, because compilers are generally pretty good
             about not generating spurious intra-function jumps.

             We use deferred output chiefly to avoid disrupting
             .Lfunc_begin0-style exception handling calculations (a problem on
             MacOS X). */

          if (!skip_next_label) instrument_next = 1; else skip_next_label = 0;   //检查skip_next_label是否设置，是就将instrument_next设置为1 否就将skip_next_label设置为0

        }

      } else {

        /* Function label (always instrumented, deferred mode). */

        instrument_next = 1;  //否则代表这是一个function label，插桩^func，设置instrument_next为1（defered mode）
    
      }

    }

  }

  if (ins_lines)//如果插桩计数器不为0
    fputs(use_64bit ? main_payload_64 : main_payload_32, outf); //向outf中写入main_payload_64或main_payload_32

  if (input_file) fclose(inf);  //关闭文件
  fclose(outf); //关闭文件

  if (!be_quiet) { //如果使用的不是静默模式

    if (!ins_lines) WARNF("No instrumentation targets found%s.", //如果插桩计数器为空，抛异常
                          pass_thru ? " (pass-thru mode)" : "");
    else OKF("Instrumented %u locations (%s-bit, %s mode, ratio %u%%).", //插桩成功输出
             ins_lines, use_64bit ? "64" : "32",
             getenv("AFL_HARDEN") ? "hardened" : 
             (sanitizer ? "ASAN/MSAN" : "non-hardened"),
             inst_ratio);
 
  }

}


/* Main entry point 主函数*/

int main(int argc, char** argv) {

  s32 pid;
  u32 rand_seed;
  int status;
  u8* inst_ratio_str = getenv("AFL_INST_RATIO");//获取环境变量AFL_INST_RATIO（该环境变量主要控制检测每个分支的概率，取值为0到100%，设置为0时值检测函数入口的跳转，而不会检测函数分支的跳转）

  struct timeval tv;
  struct timezone tz;

  clang_mode = !!getenv(CLANG_ENV_VAR);

  if (isatty(2) && !getenv("AFL_QUIET")) {

    SAYF(cCYA "afl-as " cBRI VERSION cRST " by <lcamtuf@google.com>\n");
 
  } else be_quiet = 1;

  if (argc < 2) {

    SAYF("\n"
         "This is a helper application for afl-fuzz. It is a wrapper around GNU 'as',\n"
         "executed by the toolchain whenever using afl-gcc or afl-clang. You probably\n"
         "don't want to run this program directly.\n\n"

         "Rarely, when dealing with extremely complex projects, it may be advisable to\n"
         "set AFL_INST_RATIO to a value less than 100 in order to reduce the odds of\n"
         "instrumenting every discovered branch.\n\n");

    exit(1);

  }

  gettimeofday(&tv, &tz);//获取当前精确时间

  rand_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); //通过当前时间与进程pid进行亦或处理

  srandom(rand_seed);//获得随机化种子

  edit_params(argc, argv);//检查并修改参数以传递给“as”。文件名是以GCC传递的最后一个参数决定的。此函数主要设置变量as_params的值，以及use_64bit/modified_file的值

  if (inst_ratio_str) {//如果获取到"AFL_INST_RATIO"环境变量则进入分支

    if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || inst_ratio > 100) // 如果没有将覆盖率写入inst_ratio变量或者inst_ratio中的值超过100的话，则进入分支抛出异常
      FATAL("Bad value of AFL_INST_RATIO (must be between 0 and 100)");

  }

  if (getenv(AS_LOOP_ENV_VAR))//如果获取到"__AFL_AS_LOOPCHECK"环境变量值，则进入分支
    FATAL("Endless loop when calling 'as' (remove '.' from your PATH)");//抛出异常

  setenv(AS_LOOP_ENV_VAR, "1", 1);//设置"__AFL_AS_LOOPCHECK"环境变量为1

  /* When compiling with ASAN, we don't have a particularly elegant way to skip
     ASAN-specific branches. But we can probabilistically compensate for
     that... */

  if (getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) { //获取"AFL_USE_ASAN"或"AFL_USE_MSAN"环境变量，如果其中有一个值为1则进入分支
    sanitizer = 1;//sanitizer设置为1
    inst_ratio /= 3;//inst_ratio除以3
  }

  if (!just_version) add_instrumentation();//如果不是只查询version，那么就会进入add_instrumentastion()函数，该函数主要处理输入文件，生成modified_file，将桩插入释放的位置

  if (!(pid = fork())) { //调用fork函数创建一个子进程。在执行execvp函数执行是

    execvp(as_params[0], (char**)as_params);//执行命令和参数
    FATAL("Oops, failed to execute '%s' - check your PATH", as_params[0]);//失败了就抛出异常

  }

  if (pid < 0) PFATAL("fork() failed");//等待子进程结束

  if (waitpid(pid, &status, 0) <= 0) PFATAL("waitpid() failed"); //读取环境变量"AFL_KEEP_ASSEMBLY"失败，则unlink掉modified_file

  if (!getenv("AFL_KEEP_ASSEMBLY")) unlink(modified_file);
  //设置该环境变量主要是为了防止afl-as删掉插桩后的汇编文件，设置为1会保留插桩后的汇编文件
  exit(WEXITSTATUS(status));

}